The name parameter in the above URLs corresponds to the text of the tweet that started the chain, which allows the operators of the propagation campaign to determine which combinations of terms (listed at the beginning of this post) made the best lures. The series of redirects ends at the page shown in the screenshot below, which offers a fake video that the user will likely assume is of Erin Andrews.

The fake video, served via hxxp://newfileexe.com/onlinemovies.40014.exe, is a trojan downloader– a small piece of malware that (when executed) will download and execute other malicious programs. AV detections for this instance are practically non-existent.

One of the most fascinating parts of this campaign is how the trojan downloader retrieves additional malware. Instead of downloading executables, the downloader fetches the following image files:

Hidden inside these viewable GIF files (as comment blocks) are encrypted malware executables. After retrieving the files, the downloader extracts the comments, transforms them back into malware, and executes them.